Complete Transcript of Interview – Randy Abrams - ESET
Let’s Talk Computers Radio Talk Show
Host Alan Ashendorf
March 7 2009
Alan: If you thought a botnet never could affect you, you had really better think again. Our guest today is Randy Abrams, Director of Technical Education with ESET. Welcome back to Let’s Talk Computers, Randy.
Randy: Hey, Alan. Thanks for having me back.
Alan: Randy, you I hear all the time that a botnet is not really going to affect me; but I know of a couple of hospitals that are really re-thinking that logic again, aren’t they?
Randy: Yes, definitely. They don’t even have to be something as important as a hospital to make a major impact. So, it doesn’t even have to be something as important as a hospital for a botnet to make a major impact. So, it was a hospital that got hit with the Conficker Worm that has a serious problem. Even though right now Conficker isn’t active as a botnet, per se, it has all the components required it to turn it into a big botnet.
When someone like a hospital gets hit with the Conficker, they have to take down computers, (literally take them off the network) and spend a lot of time and resources trying to get those things back up; and it’s a major disruption for a critical service.
Alan: So, where do they come up with these names like “Conficker?”
Randy: That’s a good question. Sometimes it’s really obvious and sometimes it’s hard to say. I’m not sure with Conficker. “Nimda” was named because that’s admin spelled backwards and Nimda dropped the file name “admin.dll.” Other viruses will take a word that’s in the virus and turn it around or make a play on it, things like that.
But, for Conficker, I’m not sure. Not everyone calls it that. Some people call it “Downadup” and there are a couple of other names out there by different anti-virus companies.
Alan: I mean, even according to SC Magazine, when they are talking about botnets, they are attributing 80% of the world’s spam to botnets. That’s a lot, isn’t it?
Randy: It is. People don’t realize how much spam is out there, because their ISPs are blocking probably in excess of 95% of the spam. The spam that they see is really just the tip of the iceberg.
Alan: I mean when they took down just one site, 20% of all the malicious emails just kind of fell off the world. And that’s just with one site going down.
Randy: Yes, that was a hosting provider that had ties with a lot of bad guys and was a major botnet that’s responsible for tons and tons of spam went silent from that site because the command and control center went down.
Alan: And unfortunately, it didn’t take long before it started back up again, because that malicious code is written in such a way that it really looks for things like, “Maybe my control center is going down and I’m just going to have to wait a little bit and I’ll find another control center.”
Randy: Yes, they program those bots so that they don’t give up easily and they will keep trying to find new places and sometimes a program is hard-coded and the good guys can analyze the bot and say “Oh, this is where it’s going to look next.”
Other times, like with Conficker, it’s got a program, an algorithm where it will keep generating names of websites to go check in at and it was interesting, because the bad guys didn’t register those websites and the good guys were able to figure out the algorithm and actually register some of those websites and as a result, they could put up what they want, so that when the bot contacts that website we can learn more about the activity with that bot.
Alan: People have the misconception that “Hen a botnet gets established and immediately it starts to take over my computer system.” It really doesn’t have to do that, does it? It can wait for any period of time before it actually activates.
Randy: Most people aren’t going to know if they have a bot on their computer. It isn’t designed to be noticeable. In fact, it’s designed to be unnoticed because they want to control that computer as long as they can. You can have bot on your computer and never be aware of it if you aren’t using anti-virus software.
Alan: I mean, this is almost like being possessed in the sense that you are walking around and you appear absolutely normal and everybody else thinks that you are normal, but then somebody gives you this key or this world phrase and instantly you turn into a zombie and you do their bidding - it is very scary, isn’t it?
Randy: Well, we do call things that have bots on them, zombies. And yes, they wake up at a command and they do it what they are told to do. It doesn’t have to be a hospital machine. If it’s your own personal computer, you can be sending spam to your grandmother and not even know about it, because you’ve got a bot on your computer. Because you can be sending it to a lot more people and it’s not just people that you know.
Your computer can be used to store illegal material, such as pirated software or illegal types of pornography; because bots can download and turn shared directories on these computers so that other people that are looking for these things will come to your computer.
And when law enforcement finds out about it, they often are not technically savvy enough to even think, “Well, maybe this computer is infected.” They just often assume that whoever has the computer is the one that’s downloaded this content.
Alan: And it can really get people into serious, serious trouble because they really have no idea what files are on their computer system and they really don’t have any idea how they got there; they didn’t even know that they are there, but all of a sudden somebody knocks on the door and says, “Hey, we are going to check your computer system because somebody mentioned that you were sending out emails or pornography or something like that.” It this could actually ruin a person’s life.
Randy: There have been cases of that. And it’s not just that they are going to check your computer system; they are going to confiscate your computer and it might be a long, long time before you get that computer back.
Alan: I mean you might as well just write it off, because by the time you get it back that computer system is going to be totally old and it will probably be “toast” by the time they go through everything.
People keep their whole life on computers, now and people say, “Well, I’ve got nothing on my computer that anybody would want.” Well, if you really started looking on your computer system to see how your computer reacts with the real world, you would be amazed if you thought somebody was standing over your shoulder, watching you all day and that’s basically what a botnet does, doesn’t it?
Randy: A bot can do that. There are bots that will look at your activities. There are a variety of purposes for bots and sometimes they are used to get personal information to perform identity theft or get personal information that tells other people that will, in turn, perform identity theft. And people are not usually aware of how much information leaves their computer.
Alan: Well, let’s just take this new botnet that’s out there called Conficker and exactly what does it do and how does it affect our computers?
Randy: Conficker is an interesting one, because currently it isn’t what we would traditionally call a botnet. It hasn’t been doing much of anything, other than infecting computers. In fact, one of the ways it infects computers is by exploiting a vulnerability. So, if that vulnerability is patched, that’s one way to help prevent getting Conficker.
But, if Conficker comes up, it actually patches the vulnerability so that other Malware software can’t exploit it. But, once it’s there, currently it’s just going to different websites, looking for instructions and it’s not yet giving any instructions to do anything. What’s really troubling about Conficker is not only does it use the vulnerability; it also spreads through USB drives or removable media and it can spread on a network by guessing weak passwords. And these are all basics to turn off autoruns to keep your computer patched and don’t use a weak password.
We are seeing a lot of these infections in corporations. Microsoft has been really good about making patching easy for home users, but the corporations are not patching quickly enough.
Alan: So, you could probably call this a “worm” or you could go back and call it a real “virus,” because it’s doing what viruses do, it’s duplicate themselves all over the world?
Randy: Yes. Viruses and worms both replicate. The definitions the worm varies a bit from professional to professional. Some people say that for it to be a worm it has to be completely self-contained, which Conficker is. Others say that if it spreads through a network, it’s a worm, which Conficker does. Other people say that a worm is really just a subset of virus, so I’m not going to take issue of whether you want to call it either a virus or a worm.
Alan: What damage does this worm do? If you just say it’s on, say a hospital computer; and in this case it really hasn’t done anything malicious, what is the big problem?
Randy: The big problem is we don’t know what it might do in the future. It’s capable of downloading and running software, so it could instantly become a pretty active botnet and in that case it can steal information; it can send spam; it can host illegal files; it can be used for what we call a “distributed denial of service attack,” where it will attack other computers. The latent potential right now is pretty alarming.
The fact that it’s there means that there are some really, really bad security practices in place and it’s really a wake-up call right now. If you’ve got Conficker, you’ve got to look at your security practices and really beef up your security; because, if you are vulnerable to Conficker, you are vulnerable to malware that is known to do a lot worse. That exports the same vulnerability that Conficker did; it’s not hard to spread through USB drives; it’s not hard to write a program that guesses weak passwords. If Conficker got in, you are wide-open; you’re exposed to all kinds of attacks.
Alan: You would think that a hospital would have the type of security in place, because they have patients’ files; they have information there that can do serious damage to a patient if it gets out to the rest of the world. But, I guess that’s this is just not the case, is it?
Randy: I just saw an article in the past day or two. There were three hospitals in London that just released a very scary report. They got infected with Mytob, which has been detected by anti-virus software for a long time. And these three hospitals in London, alone, got infected with this old virus.
Alan: I know you and I talk about all the time, “defense in-depth” and this is a case where they really needed to have multiple types of defenses. They needed to have anti-virus, anti-threat protection on every machine that was available to the Internet, but it’s also very important to some kind of education in effect to let the IT department know what is going on.
Randy: Yes, education is essential. It’s important that companies and organizations provide on-going education for their IT staff. All the staff needs some basic level of education. Policies are also very important and more advanced techniques like segmentation of the network is also very important, because that can protect parts of the network that has critical data on them so that they are isolated from other parts that might be facing the Internet.
Alan: What, exactly is ESET doing to keep us safe from botnets and all this malware and all these security breaches that you read about in the newspaper?
Randy: Our main focus has been for more than a decade to prevent you from getting infected. We try to maintain detection from the latest threat and have developed approaches where we don’t have to see a threat before we detect it. We are able to proactively prevent infections from many different threats because our heuristics, the ability to identify the behaviors of a program will block the threat.
But, we are also very firm believers of education; weekly pod casts; we maintain a bog. I also talk to you on the radio and try to get information to consumers to help them protect themselves; because education is really critical. Anti-virus software, firewalls, routers, and computers – they are all just tools and if you don’t know how to use the tool, any tool is dangerous. Education is the key to using the tools, effectively.
Alan: And you are constantly up on all this, because the only thing that ESET does is to put out protection software; you don’t sell other utility programs; and you don’t sell operating systems. This is the only thing that you do. You protect our computers and you do a great job of that.
Randy: Computers and now also some cell phones too. We have ESET Mobile Anti-Virus, as well as ESET Nod32 and ESET Smart Security, which includes the firewall and anti-spam, as well as the anti-malware.
Alan: And you have an incentive for doing it right because if you miss any of these threats that are out there, I mean this is your only business.
Randy: We do our best to catch as much as possible and if we miss something to get it up to date and we offer free support to our customers, so you don’t get the product and then if you have a problem have to pay more to get it solved. Our support is included in the cost of the Product.
Alan: And you actually have full support in your Trial Ware. I mean when we get your Trial Ware for 30 days to see how we like it and see how it protects us – it’s full-featured; its not one that goes out there and says, “This is what I found and now pay me and I’ll take it off.” It is fully updatable. You actually get full definitions for the full time of the Trial, don’t you?
Randy: The Trial is fully-functional and if you decide that you are ready to purchase the Product then we simply send you license information that you copy and paste in and it is the full Product. We don’t cripple it, other than after 30 days it is no longer able to update anymore.
Alan: Randy, we’ve run out of time and we need to continue this conversation, talking about what we need to do to prepare ourselves for all these new threats that are trying to get into our computer systems next time.
Randy: Okay. Thank you very much for having me. It’s always great to be here.
Visit ESET on Facebook
Follow ESET on Twitter